clock menu more-arrow no yes mobile

Filed under:

Heartbleed Flaw Lurks in Android Apps Downloaded by Millions

Android itself isn't generally vulnerable. But many apps -- mostly games -- are. Also? Beware the Heartbleed-scanner apps.


Some 150 million downloads of Android mobile apps may be vulnerable to the Heartbleed bug, new security research has found.

And while there are as many as 17 Android apps that scan for the bug, at least six of them do so using a method that is insufficient.

The findings were published last night by three researchers, Yulong Zhang, Hui Xue and Tao Wei, at the computer security firm FireEye. “For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed,” they wrote.

Strictly speaking, versions of the Android platform — with the exception of Jelly Bean 4.1 and 4.1.1 — are not themselves vulnerable to Heartbleed because most of them don’t use OpenSSL or do so in a way that the flawed features are disabled by default. But individual apps often use OpenSSL, leaving them open to attack.

Most, the researchers say, are games. Games don’t contain much useful data, but some use authorization credentials that are linked to Facebook or Twitter accounts. An attacker could hijack a game account in the hope of getting access to a more valuable social media account.

A few office apps turned out to contain flawed versions of OpenSSL, but aren’t vulnerable to Heartbleed, because they rely instead on a safe version of OpenSSL contained in the Android OS.

As for the 17 Heartbleed scanner apps available on Google Play, six of them, they say, check installed apps on the phone and pronounce them all “safe,” but perform their scans using a method the researchers say is insufficient. Two fail to catch apps the researchers say are actually vulnerable to Heartbleed. “Only two of them did a decent check on Heartbleed vulnerability of apps,” they wrote. “Although they conservatively labeled some non-vulnerable apps as vulnerable, we agree it is a viable report which highlights both the vulnerabilities and the linkage mistakes.” Several more are fakes and don’t perform real detection at all, but serve only as adware. (The researchers don’t name any of the apps, good, bad or fake, in their post.)

Their latest research was current as of April 17, so the number of vulnerable apps may have come down since then. Their first scan was conducted on April 10, when the number of potentially vulnerable apps was closer to 220 million. “Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes.”

The findings appeared on the same day that Apple released software updates for the iPhone and iPad to fix vulnerabilities that allow attackers to bypass certain security protections. It also issued a Heartbleed-related fix for the AirPort Extreme.

This article originally appeared on

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.